Fwd: Re: [vpnc-devel] I need to give the same secret from the RSA token 3 times to login

Matthias Apitz guru at unixarea.de
Sat Jul 29 07:18:35 UTC 2017 

I'm forwarding this to freebsd-net@ because it seems that the upstream
mailing list vpnc-devel at unix-ag.uni-kl.de is dead.

I have modified the vpnc.c source so it prints the RSA code entered by
the user; as it is a one time key, this is no security problem:

# /usr/ports/security/vpnc/work/vpnc-0.5.3/vpnc
Password for VPN xxxxxxx at 193.31.xxx.196:
RSA token entered was [55526846]
Password for VPN xxxxxxx at 193.31.xxx.196:
RSA token entered was [55526846]
Password for VPN xxxxxxx at 193.31.xxx.196:
RSA token entered was [55526846]
Connect Banner:
| ==== XXXXXXXX Germany VPN ====
|
| Use is restricted to XXXXXXXXXXXXXX authorized users.
| Usage and activity may be monitored or recorded and may be subject to auditing.
| Unauthorized access is strictly prohibited!

add host 193.31.xxx.196: gateway 10.42.0.1
...

i.e. after the 3rd same passcode it connects fine.

more details be low in the forwarded text.

Any ideas? Thanks

	matthias

----- Forwarded message from Matthias Apitz <guru at unixarea.de> -----

Date: Fri, 28 Jul 2017 10:06:16 +0200
From: Matthias Apitz <guru at unixarea.de>
To: vpnc-devel at unix-ag.uni-kl.de
Cc: ehaupt at FreeBSD.org
Subject: Re: [vpnc-devel] I need to give the same secret from the RSA token 3 times to login


(I have copied the MAINTAINER in FreeBSD, I don't know if vpnc is still
maintained upstream)

Hello,


I have additional observations/remarks on this.

To generate the 8 digits secret, I'm using a RSA app on my iPhone.

I can reproduce the following from my home office and as well when connected over data
mobile using my smartphone as an Access Point:

1. I use the app to generate the 8 digits and wait until a fresh one shows up (to have 60 seconds
   for the rest of the following procedure)

2. I start the vpn client and enter the 8 digits carefully

3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a 2nd time

4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits for the 3rd time

5. VPN comes up fine after this

This is fully reproducible if someone needs more information.

I used the --debug 3 mode of vpnc and this shows an interesting dialog in the tons of
debug lines:


...
   DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner:
| ==== XXXXXXXXXXXX Germany VPN ====^M
| ^M
| Use is restricted to XXXXXXXXXXXX authorized users.^M
| Usage and activity may be monitored or recorded and may be subject to auditing.^M
| Unauthorized access is strictly prohibited!

add host 193.31.11.196: gateway 10.42.0.1
delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table

...

S5.4 xauth type check
 [2017-07-28 07:37:04]
^M
   Enter your new PIN, containing 5 chars,^M
                or^M
   <Ctrl-D> to cancel the New PIN procedure:                      <*************************************

S5.5 do xauth authentication
 [2017-07-28 07:37:04]
   size = 40, blksz = 8, padding = 0

 sending: ========================>

...

S5.4 xauth type check
 [2017-07-28 07:37:14]
^M
                 Please re-enter new PIN:                                <************************************

S5.5 do xauth authentication
 [2017-07-28 07:37:14]
   size = 40, blksz = 8, padding = 0

 sending: ========================>

...

S5.4 xauth type check
 [2017-07-28 07:37:25]
^M
^M
PIN rejected. Please try again.^M                                  <****************************************
^M
Enter PASSCODE:                                                               <****************************************

S5.5 do xauth authentication
 [2017-07-28 07:37:25]
   size = 40, blksz = 8, padding = 0

 sending: ========================>
...

   Banner:    ==== XXXXXXXXXXXX Germany VPN ====^M
^M
Use is restricted to XXXXXXXXXXXX authorized users.^M
Usage and activity may be monitored or recorded and may be subject to auditing.^M
Unauthorized access is strictly prohibited!
   got save password setting: 0
   got 42 acls for split include
   acl 0:    addr: 192.168.0.0/   255.255.0.0    (16),    protocol: 0,    sport: 0,    dport: 0
...

from here all is fine connected;

There seems to be some dialog in the authentication procedure which wants me to change
the PIN, asking for a confirmation of the new PIN and is failing to accept this new PIN.

This would explain why I'm asked three times for some secret: two times for some PIN and
at the end for the 8 RSA digits.

Does this ring someones bell?

I tested the same with a Windows VPN client. This connects fine after
entering the 8 digits the first time.

	matthias

_______________________________________________
vpnc-devel mailing list
vpnc-devel at unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/


----- End forwarded message -----

-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20170729/06b36715/attachment.sig>

More information about the freebsd-net mailing list